Honeypots
Honeyd - ports not opening Feb 19 2007 04:24PM
Mark C (vedasx gmail com)
Hello,

I'm working on a group project at IIT and I am having some problems
setting up honeyd. I was told by Lance Spitzner to send you a
detailed question.

I've configured honeyd to be as simple and generic as possible to aid
in troubleshooting. The problem is that honeyd will run, but will not
open ports, nor will it behave like the OS that it's set to behave
like. If you're willing to help, I've pasted relevant bits below.

Thanks,
Mark

Config ...

create default
set default personality "Microsoft Windows 2000 Server SP2"
add default tcp port 80 open
add default tcp port 88 open
add default tcp port 135 open
add default tcp port 139 open
add default udp port 135 open
add default udp port 139 open
set default default tcp action reset
set default default udp action reset
set default uptime 16000000

And it runs, as root ...

Honeyd V1.5b Copyright (c) 2002-2004 Niels Provos
honeyd[5812]: started with -i eth1 -p /usr/share/honeyd/nmap.prints -x
/usr/share/honeyd/xprobe2.conf -a /usr/share/honeyd/nmap.assoc -l
/var/log/honeyd -f /usr/share/honeyd/honeyd.conf 216.47.140.225
honeyd[5812]: listening promiscuously on eth1: (arp or ip proto 47 or
(udp and src port 67 and dst port 68) or (ip and (host
216.47.140.225))) and not ether src 00:06:4f:25:61:ae
Honeyd starting as background process

And an nmap from a remote computer, although the result is almost
identical when nmapping localhost ...

Professor,

I configured honeyd exactly as described in the design doc you posted
to BB (http://blackboard.iit.edu/courses/1/ITM549_IT449-WLIDINSK.07S/db/_51626
_1/honeypotsscmjj-finalDOC.pdf)
- if you can't load the file, you have to log into BB first)

Configuration:

create default
set default personality "Microsoft Windows 2000 Server SP2"
add default tcp port 80 open
add default tcp port 1337 open
add default tcp port 88 open
add default tcp port 135 open
add default tcp port 139 open
add default udp port 135 open
add default udp port 139 open
set default default tcp action reset
set default default udp action reset
set default uptime 16000000

Starting honeyd....:

[root@unixc31 mark]# ./start-honeyd
Honeyd V1.5b Copyright (c) 2002-2004 Niels Provos
honeyd[5812]: started with -i eth1 -p /usr/share/honeyd/nmap.prints -x
/usr/share/honeyd/xprobe2.conf -a /usr/share/honeyd/nmap.assoc -l
/var/log/honeyd -f /usr/share/honeyd/honeyd.conf 216.47.140.225
honeyd[5812]: listening promiscuously on eth1: (arp or ip proto 47 or
(udp and src port 67 and dst port 68) or (ip and (host
216.47.140.225))) and not ether src 00:06:4f:25:61:ae
Honeyd starting as background process

nmapping from a remote computer, although the result is almost
identical when doing it from localhost:

$ sudo nmap -O 216.47.140.225

Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2007-02-11 15:25 CST
Interesting ports on 216.47.140.225:
Not shown: 1677 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
MAC Address: 00:06:4F:25:61:AE (Pro-nets Technology)
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.4.7 - 2.6.11
Uptime 8.391 days (since Sat Feb 3 06:02:12 2007)

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus